# Legal Protection & Payments

## Legal (Lean Approach)

### What Pieter Levels Uses
Pieter Levels (maker of Nomad List, Remote OK, Photo AI) keeps it minimal:
- Simple Terms of Service page
- Simple Privacy Policy page
- Generated with free/cheap tools, not expensive services like Termly

### Recommended Approach
1. **Terms of Service** — Use a free generator (TermsFeed free tier, GetTerms.io) or write a simple one
2. **Privacy Policy** — Required if collecting any user data. Free generators available
3. **Cookie Banner** — Only needed if using analytics/tracking cookies
4. **Business Entity** — LLC ($50-150 depending on state) for liability protection
5. **Don't over-engineer** — Until you have paying users, simple legal pages are fine

### When to Upgrade
- Taking payments → need proper ToS with refund policy
- Handling health data → HIPAA considerations
- EU users → GDPR compliance (data export, deletion rights)
- Enterprise clients → may need SOC 2, BAA agreements

## Payments

### Options (Easiest to Hardest)

| Service | Fees | Best For | Setup Time |
|---------|------|----------|------------|
| Lemon Squeezy | 5% + $0.50 | Merchant of record, handles tax/VAT | 1 day |
| Paddle | 5% + $0.50 | Same as Lemon Squeezy, more established | 1 day |
| Stripe | 2.9% + $0.30 | Full control, most flexible | 2-3 days |
| Gumroad | 10% | Digital products, simplest | Hours |

### Recommendation
- **Start with Lemon Squeezy or Paddle** — they handle sales tax, VAT, and act as merchant of record (you don't need a business entity)
- **Move to Stripe** when you need more control or lower fees at scale
- Both have simple JS SDKs and webhook integrations

### Integration Pattern
```
User clicks "Subscribe" → Redirect to payment provider checkout
→ Provider handles payment → Webhook to your API
→ API updates user subscription status in DB
```

Keep payment logic out of your app. Let the provider handle checkout, invoicing, and tax.